Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

New Phishing Scam Reels in Netflix Users to TLS-Certified Sites

Researchers are warning of a new Netflix phishing scam that leads to sites with valid TLS certificates.

Researchers are warning of a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security (TLS) certificates.

Johannes Ullrich, dean of research at the SANS Technology Institute, said Wednesday that there’s been an uptick in Netflix phishing mails using TLS-certified sites.

The bad actors behind the attacks will take advantage of unpatched installs or plugins, or weak passwords, to compromise usual-suspect CMS software, like WordPress or Drupal, said Ullrich. From there, they can create phishing sites that could be mistaken for real Netflix domains. In some cases, they’re using wildcard DNS records.

“With a wildcard DNS record, *anything.domain.com will point to the same IP address,” the researcher said in a post. “The attacker will just use a subdomain/hostname to launch the attack. But I have also seen them use specific domain names registered for the phish.”

The attacker can then obtain a TLS certificate for a host name that is Netflix-related, such as netflix.domain.com or netflix.login.domain.com; this helps the site evade being flagged by safe-browser software.

The initial spoofed emails are the weak part of the campaign, and are easy to spot, said Ullrich.

“The email was marked as spam, and the email is not worded that well,” he said. “In this case, the link went to hxxps://www.safenetflax.com, a domain registered just to impersonate Netflix. This domain no longer resolves.”

After clicking on the link, Ullrich found that the websites appear believable and look very much like the real Netflix: “The only modification I can spot is that the alternative login methods like Facebook are missing,” he said.

While Netflix accounts aren’t particularly valuable (Ullrich said he has seen them offered from $0.20-0.50 per account), the attack may be enticing to cyber-criminals as it can be easily automated – and hard for victims to spot, he said.

“Once a Netflix account is compromised, it can often be used for a long time undetected as Netflix allows multiple simultaneous streams for its standard and premium accounts,” said Ullrich. “Unless the legitimate user gets ‘kicked off’ for using too many streams, the legitimate user will never know that there is someone else using their account.”

The method of using TLS for phishing attacks has increased dramatically over the years; last year, Zscaler said that it saw a 400 percent increase of phishing attempts delivered with SSL/TLS over 2016.

“Hackers are posting phishing pages on legitimate domains that they have compromised” said Deepen Desai, director of security research at Zscaler in a post about the increase. “Many of these legitimate sites support SSL/TLS, and there are very few network security solutions that can support inspection of encrypted packets at scale.”

However, Ullrich said ultimately the bad actor could have made a mistake using TLS; because it is easy for Netflix or others to find the sites easily via certificate transparency logs; and, “I doubt many users would notice if the site didn’t use TLS,” he said.

Netflix phishing campaigns have been ongoing for years, but recently a new array of fake email and malicious links seem to have cropped up, with various law enforcement warning citizens to be on the lookout for the scams.

A spate of police forces in Canada for instance have recently advised the public of a phishing scam that involves bad actors impersonating Netflix to obtain victims’ banking information.

Netflix, for its part, recommends users avoid clicking links sent via email; and that they report any suspicious messages through its official website.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.